Sometimes, the best place to hide things is in plain sight...

One of the revelations from the recent capture of a number of deep cover Russian spies here in the US was that they used steganography (the concealment of data within innocuous looking files) in order to hide and transmit secret documents and messages to their handlers.  Steganography is one of those techniques which get talked about a lot a security conferences, but has not seemed to play a major role in news of security breaches.  This seems a bit odd to me – stego seems like a great way to exfiltrate information in plain sight.  By embedding ill gotten data in vacation pictures posted to Flickr or Facebook, spies (corporate or otherwise) can create very low risk electronic dead drops with a few mouse clicks.  Unlike encryption, stego does not leave suspicious encrypted files to exfiltrate, just innocent looking pictures or songs.  The software needed to create stego protected files is available on the Net.  So why (other than some articles about Al Qaeda reportedly using stego to embed secret information in internet images) do we not hear more about this technique?  I have a couple of hypotheses here:

Attackers are using stego, but they are not getting caught. Detection of files with steganographically hidden content is very difficult, requiring very specialized knowledge and tools which most enterprises and forensic examiners don’t have access to.

Attackers don’t need to use stego because they don’t need to. There are so many organizations out there who do not have a handle on what information is leaving their networks, that they don’t feel the need to go to the trouble of hiding the information they are swiping.  Or they are using really low tech methods to get the data out of the organization, like printing, or fax, or this.

Is stego a real threat to the enterprise?  I am not sure.  But the availability of stego underlines the need to build a security culture in your organization and use both technology and non tech means to detect potential problems.  Stego seems to be a tool which insiders would be predisposed to use – detecting insider threats takes both technology and plain old vigilance.  There is some excellent information on detecting insider threats available from the CERT team – this should be on your reading list.

This post was inspired by Kai Axford’s (Accretive Solutions) great presentation at today’s New York Metro InfraGard meeting.

Is Microsoft a cyber-Benedict Arnold?

OK, call me a cold war relic, but I find the recent revelation that Microsoft has provided the source code for Windows, SQL Server, and Office to the Russian FSB (the spies formerly known as the KGB) as well as to the Chinese government quite disturbing. As recent events prove, Russia is still actively engaged in espionage against the US public and private sectors.  We know that the Chinese People’s Liberation Army is actively building an offensive cyber capability and that they use technology to suppress free expression in their country.  Microsoft’s disclosures have been going on since 2002, as part of a program under which Microsoft has supplied source code for its products to a number of countries as well as NATO.

It does not take too much imagination to conjure up visions of Russian or Chinese  government security researchers finding zero-day exploits to allow their paymasters to craft undetectable malware which is then placed on US government and private sector computers.  Such an attack would be a cost effective, low risk way to gather more information in a day than the recently unmasked spy ring was able to collect over a decade.   It takes even less imagination to envision the Chinese government using their access to Windows source code to build more efficient tools to monitor and muzzle those who dare to speak out against the Communist Party.

This incident raises a number of  interesting questions.

Is Microsoft (a company born in America, whose success was built on the US market, and which benefits from tax breaks funded by US taxpayers) right to provide access to source code of products which are the underpinnings of all sorts of critical infrastructure to nations which are actively engaged in espionage against the US and whom we may meet on the cyber battlefield of the future?  It seems to me that this is sort of like hiring a company to build a fort and then allowing them sell the plans to your adversaries.

Should Microsoft’s products have some sort of special status which recognizes them as part of the US critical infrastructure?  After all, Microsoft has been allowed to gain what is basically a monopoly in the US market for operating systems and other key software.  Does this engender a responsibility on their part to act in accordance with US national interests?   I think it does.

Microsoft hasn’t done anything illegal here.  It would be nice if they felt a need to protect the critical infrastructure of their country, but as a private entity with no laws or regulations to prevent their actions, they made the logical business decision to share the source code in order to gain better access to the Russian and Chinese markets.   However, their choice is a bum deal for the rest of us, who will have to deal with the repercussions of this decision while Microsoft reaps the profits.  We need to tell our legislators that it is time to take a fresh look at what we ask of companies like Microsoft and Cisco, whom we have allowed to develop monopolies on key parts of the nation’s critical infrastructure.  In the conflicts yet to come, cyberspace will play a key role – and Microsoft has sold the plans for the fort to potential adversaries.

something new for the po-po to listen to?

Here’s an interesting story that bears some watching… security researcher Sean O’Neill claims to have reverse engineered the proprietary encryption which Skype uses to protect voice, video and IM communications on its network.    This work, while impressive, does not mean that Skype’s encryption has been broken, since knowing the details of an encryption algorithm does not allow you to decrypt data unless you can also derive the keys used to encrypt the data.  However, there are some reports that the O’Neill’s code has been used to launch spam attacks on Skype users.  I am sure that intelligence and law enforcement agencies all over the world are quite interested in how this all turns out, as they have complained in the past that Skype provides criminals, terrorists and other n’er do wells with un-wiretap-able communications.  O’Neill plans to provide more information on his work at the Chaos Computer Congress in December. 

In the mean time, I plan to continue using Skype without too much worry.  Of course, I’ll think twice about using it for coordinating the global tentacles of my evil plan for world domination, but I see no reason to avoid Skype for personal and business communications right now.  Stay tuned.

Wanna be friends?

You can never have too many friends – or CAN you?  (Hint: you can).   A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks.  Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles.  “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words).  The result?  In an interview with CSO Magazine, he stated that:

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

More alarmingly, according to an article from DarkReading,

Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

Can you spell “bad operational security?”

Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.

There are some lessons learned to be learned from this incident for those of us who are not part of the military:

If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)

Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization.  Trust me – I have seen this happen.  You know who you are.

Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex.  I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info.  For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.

And Robin Sage ain’t your friend.

PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on.  Sigh…

Did they have it all wrong?

A few weeks back, I blogged about some research on the economics and potential malware risks posed by Internet pornography.  Well, a *new* study from Avast Software finds that non pornographic sites serving up malware outnumber pornographic sites serving malware by a factor of almost 100 to one.  Furthermore, Avast contends that there are more malware infected domains containing the word “London” than there are containing the word “sex.”  Not sure what this says about London.  I guess the morals of the story are:  for every study claiming fact x, there will be one claiming fact y and that the internet is as dangerous a place for the vituous as it is for the naughty.  Have you updated your antivirus and plugins lately?

In the old days, this type of scam was called “salami slicing” – stealing just a little bit (one slice of salami) from a lot of people adds up to a big salami.   Mmmmmm…. salami…. 

This is a really hard type of fraud to fight… since so few of the charges were contested, it took 4 years for and credit card issuers and feds to find a pattern.  In the mean time, all of the victims suffered very small losses.  The ringleaders got their millions and are still on the lam (eating salami and caviar sandwiches, I assume).

The research in question was conducted by a team of researchers from the Technical University of Vienna, Institute Eurecom, and UC Santa Barbara.  A brief digression here… if I had been informed that conducting studies of Internet porn was an option, I definitely would have finished college and gone into academia.  We should let kids know about this so that they stay in school!

Any-who… Our lucky, lucky, research team found that pornography accounts for 12% of web pages on the Internet and that the porn industry was worth over $97 billion in 2006.   For some perspective, this is more than the combined revenues of Microsoft, Google, Apple, Amazon, eBay and Yahoo! Combined.  And this is in spite of the absolute torrent of free porno to be found on the net.  (Or so I have been told.)

Much of the paper was devoted to describing just how the porno ecosystem can be so lucrative.  My interest, though was purely from a security perspective…

Researchers found that 3.23 percent of the adult web site pages they examined “were found to trigger malicious behavior such as code execution, registry changes, or executable down- loads.”  However, many of the evil pages show signs that their malware payloads were the results of hackers compromising the adult sites.  In these cases, it would seem that the attackers are taking advantage of the high traffic rates to expose their ‘sploits to the largest possible audience.

The researchers then went a step further, actually setting up two adult web sites and registering with affiliate programs and traffic brokers to lure unwary pornophiles to participate in their research (although no perverts were harmed in the course of the study.)  These sites were configured to collect information about their visitors’ computers, noting browser and plug in versions as well as performing specific checks for vulnerable plugins used to handle Word and PDF documents.  The researchers then bought 49,000 visitors from the traffic brokers (for about USD 160) and analyzed their visitors.  Of the 49,000 visitors, the researchers were able to build complete browser profiles for just under half.  After further analysis, just over 20,000 of the visitors were found to have one or more of the vulnerabilities that the researchers were scanning for.  Almost 6,000 users had multiple vulnerabilities.

Now in this case, no malware was installed on the unwitting experiment participants, but had the researchers had nefarious intent in mind, they could have put together a 20,000 node botnet for just a couple of hundred dollars.  (Actually, they could have offset their costs by installing other ad/spy/scareware on their prey.)

The take aways?  First, this was an excellent, enlightening and engrossing paper which I highly recommend reading – the economics of Internet porn really interesting.  Second, surfing porn does pose a small but non zero risk – one which was significantly higher than shown in previous research.  There is not enough data here to show a trend of increasing risk, but it would make sense, given the cost effectiveness of porn as a malware vector, that cybercriminals would increasingly look to this method of building botnets.

Now if you’ll excuse me, I have some research, yeah, research to attend to…

The Panopticlick software developed by the EFF researchers looks at a wide variety of information which a web site can gather from any visiting client.  By combining a number of these seemingly innocuous pieces of information, a client fingerprint can be calculated:

Browser and plugin versions

Configuration options

ACCEPT headers

Screen resolution

Fonts

Time Zones

MIME types

The EFF collected its data via a website which it set up and publicized, so we can assume that the data they collected came from people who are interested in their privacy.  Despite this self selected sample, the findings do not bode well for privacy on the Internet:

• Overall, the browsers of 83.6% of all visitors to the test site had unique fingerprints.

• If a browser has Adobe Flash or the Java Virtual Machine enabled, there was a 94.2% chance that its fingerprint was unique.

• Since the fingerprints are based on browser configuration settings, they can change rapidly.  However, the researchers were able to detect changed fingerprints and tie them back to the original fingerprint in 99.1% of cases via an algorithm.

• Some good news for mobile device users – iPhone and Android based browsers had more uniform fingerprints and were harder to differentiate from one another due to the lack of plugins and options available.  However, as mobile browsers become more sophisticated, this technique may become applicable to these browsers on the go.  Also, it is important to note that the mobile browsers do not have good ways to control cookies, leaving them open to cookie based fingerprinting.

In related work, researchers from an Australian university have found that they were able to identify by name many users of Xing, a social networking site in Germany.  The researchers first collected information on 6500 groups and their 1.8 million members.  By simply analyzing the overlaps in group memberships, they were able to discern the identities of 42% of the users.  They next created a web site which, when visited, examined the browser history of the visitor.  Of the 26 test subjects they enlisted, the identities of 15% were revealed simply by visiting the site.  Xing has updated their software to protect against these types of attacks, but other sites may still be vulnerable.

So… what does this all mean?  Well, first of all, marketers and site owners have a new tool to track visitors, including those who have disabled cookies (in order to avoid such tracking).   Second of all, these techniques provide scammers and malware authors with a way to track their victims’ web activity without leaving telltale traces.  On the bright side, these fingerprinting techniques could also be used for good purposes, such as providing an additional level of authentication for banking and other sensitive web sites (and there is evidence that this is already being done, although mostly using cookies).  Law enforcement could use these techniques during investigations, although given the politics of many nations, this could be a really bad thing as well.  The EFF wants policymakers to expand their definition of personnally identifiable information to include fingerprintable records – I think that this is a topic worthy of discussion.  I also think that browser designers need to work on this problem from a technical point of view.

Want to cover your tracks?  Well, you could block Javascript – this provides pretty good protection against the techniques EFF used, but at a cost in terms of web site usability and functionality.  You could start using TorButton to route your web traffic via anonymizing proxies.  You could use your iPhone or Android phone to do all your web surfing.  None of these solutions is ideal.

So… another nail in the coffin of privacy…

In April of this year, the SeaMeWe-4 cable, which carries 89% of the traffic between the Middle East and Europe, was cut, severly impacting Internet and telephone communications between the two areas.  In 2008, a series of cable cuts in the Middle East disrupted network access and spawned a number of conspiracy theories due to the fact that neither Iraq or Israel were affected.  Back in 2006, a major earthquake cut the APCN2 cable connecting China, Hong Kong and other Asian countries bringing online commerce to a halt for days and resulting in network performance disruptions for months.

The good news is that notice is being taken – the IEEE held a “Global Summit on the Reliability of Global Underseas Communication Cable Infrstructure“  (ROGUCCI for those in the know) in Dubai in October 2009 where experts came from all over the world to discuss how to keep our undersea cables safe and secure.  I took a look at the report from this conference and learned some other interesting facts about undersea cables:

• Undersea cables are one of the rare places here on Earth that we get to see the effects of the speed of light.  As data or voice traffic takes its journey through cables, there can be a delay of up to a tenth of a second, which can be heard by humans and interfere with time sensitive data communications.  Satellite latency is even larger – this is one reason why all that intercontinental traffic can’t be rerouted via the heavens.

• Every second, the planet’s undersea cables carry 30 terabytes of information from continent to continent – and more data is added to this torrent every day.  (I think that 28T of that traffic is porn…)

• When there is a cable failure, traffic must be rerouted by other cables, making the path taken by the data much longer, increasing latency and adding traffic to links which may already be congested.  There is no Plan B for the undersea cable network.

• Cable ships and their crews are a shared resource – the number of simultaneous repairs that can be performed is limited.  Time to repair is also extended due to some countries’ bureaucratic permit processes which the repair ships must complete before entering their territorial waters to get to work.   Cable ships are also a potential target for pirates – cable operators worry that pirates could take over a cable ship and demand a hefty ransom for its release, delaying repairs further.  Pirates have already caused problems for cable laying off the coast of Africa.

• Threats to cables are on the rise; they are strategic targets in times of war and are also threatened by the increasing mining of the ocean’s floor.  However, the importance of undersea cables was acknowledged as far back as 1884, when the major powers of the time signed the International Convention for the Protection of Submarine Cables in Paris.  Today, the International Cable Protection Committee lobbies internationally (hence the name) to keep our undersea cables safe and secure.

Undersea cable security needs to be on all of our agendas… the Internet links that allow me to post this blog entry from my hotel room in London are also the ones which major financial institutions use for moving money around the world and which an increasing amount of commerce depends on.    Governernments need to safeguard cables and cable repair ships and most importantly, build the redundant links which will allow our planetary nervous system to recover from damage.

The new settings default to sharing quite a bit of information – you may be (unpleasantly) surprised about what Facebook is telling the world about you.

This website provides a browser bookmarklet which will scan your privacy settings and let you know what you might want to change.   Take five minutes to protect your online privacy…